query("SELECT id, username, display_name, is_admin, created_at FROM users ORDER BY id"); json_ok(['users' => $stmt->fetchAll()]); } // POST /api/admin/users if (get_method() === 'POST' && $admin_action === 'users') { require_admin(); $body = get_json_body(); $username = trim($body['username'] ?? ''); $display_name = trim($body['display_name'] ?? ''); $password = $body['password'] ?? ''; $is_admin = !empty($body['is_admin']); if (!$username || !$password || !$display_name) json_error('Benutzername, Anzeigename und Passwort erforderlich'); if (mb_strlen($password) < 6) json_error('Passwort muss mindestens 6 Zeichen haben'); $hash = password_hash($password, PASSWORD_DEFAULT); try { $stmt = $pdo->prepare("INSERT INTO users (username, password_hash, display_name, is_admin) VALUES (:u, :h, :d, :a) RETURNING id"); $stmt->execute([':u' => $username, ':h' => $hash, ':d' => $display_name, ':a' => $is_admin]); json_ok(['id' => $stmt->fetchColumn(), 'message' => 'Benutzer erstellt']); } catch (PDOException $e) { if (strpos($e->getMessage(), 'unique') !== false) json_error('Benutzername existiert bereits'); throw $e; } } // DELETE /api/admin/users/{id} if (get_method() === 'DELETE' && $admin_action === 'users' && !empty($segments[2])) { require_admin(); $del_id = (int) $segments[2]; if ($del_id === $_SESSION['user_id']) json_error('Eigenen Account kann man nicht loeschen'); $pdo->prepare("DELETE FROM users WHERE id = :id")->execute([':id' => $del_id]); json_ok(['ok' => true]); } // POST /api/admin/import if (get_method() === 'POST' && $admin_action === 'import') { require_admin(); $stats = import_all_content($pdo); json_ok(['message' => 'Import abgeschlossen', 'stats' => $stats]); } json_error('Unbekannter Admin-Endpunkt', 404);